In my country, Austria, a telecommunications data retention law will be executed starting at April 1. Internet carriers are required to store connection data (from which computer to which server), but no actual data payloads, for up to 6 months.

I would like to avoid the government knowing which of the many million Facebook profiles is mine (I'm using a pseudonym as name). AFAIK, SSL encrypts the GET-parameters as well, so my profile id should be safe from storing. Is there any other way the government could find out about my FB profile id, given only the connection data?

@manmal - There is very little you can do if your ISP is recording what domains you vist unless you use an encrypted vpn connection.
–
RamhoundMay 2 '12 at 17:04

1

For example they could ask facebook giving them your IP.
–
CodesInChaosMay 2 '12 at 17:20

"given only the connection data", and not content, there would not be a way to determine which account was logged into.
–
schroeder♦May 2 '12 at 17:22

@schroeder - I think the objective of storing the connection data is to be able to use it to subpoena information from facebook or anybody else. So if from subpoenaing the ISP they know you logged into facebook with a given IP at a given time, they can require facebook to tell you which account was logged in to.
–
MarkMay 3 '12 at 10:49

@schroeder: Not directly, no. Alas, traffic analysis can give you lots of indirect hints; with enough indirect data, you can make a pretty accurate picture of who did what when and where. For a very simple example: "after loading a page from Facebook's server, the user loaded a page from example.com's server? Hmm, let's see who posted or liked a link to example.com at Facebook lately...see if it isn't our man"
–
PiskvorMay 3 '12 at 12:21

1 Answer
1

If the ISP is only storing the header data, information letting them know that the connection occurred, when it occurred, how long it was, and how much data was transmitted they can't tie you to a Facebook account based on that information alone.

However, they could subpoena Facebook for any logs they have tied to your IP address and determine your account from there.

If you want to be as anonymous as possible I would recommend giving Tor a try. It is a project that allows users to bounce their traffic through several nodes located around the world while no single node is capable of determining the source and destination of the traffic. Specifically try the Tor browser bundle (Google is in friend for finding it). It provides fairly strong anonymity, but make sure you use SSL still because the node that your traffic goes through to reach the rest of the internet will see it unencrypted if you don't and they have been known to log traffic in the past.

In short, with Tor you can hide (even from your ISP) the fact that your IP address connected to Facebook at some point in time. Beyond that, theres not much you can do.

I am using ExpressVPN and I'm quite satisfied with that, no need to burden Tor with my tremendous traffic amounts :) Thing is, I don't want to always have VPN enabled, as I've done nothing wrong. The first part of your answer was what I was looking for, thank you!
–
manmalMay 7 '12 at 12:13

If your using something like that, then the government would have to subpoena ExpressVPN for your traffic history. The ISP wouldn't even know you were going to Facebook, the only thing that would show up in their logs is traffic going to ExpressVPN.
–
chrisbdaemonMay 7 '12 at 20:29